Microsoft has released its October 2023 Patch Tuesday security updates that address more than a hundred security vulnerabilities in its software, including two zero-day flaws said to have been actively exploited in the wild.
One of the zero-days is CVE-2023-36563, a Microsoft WordPad information disclosure issue that can be used to steal NTLM hashes when opening a document in WordPad. The second zero-day, tracked as CVE-2023-41763, affects Skype for Business server and can result in the leakage of sensitive information.
October 2023 Patch Tuesday also addresses an actively exploited vulnerability (CVE-2023-44487) known as the HTTP/2 Rapid Reset attack, used by an unknown threat actor to carry out high-volume distributed denial-of-service (DDoS) attacks, the largest of which peaked at 398 million RPS. According to CloudFlare, the worrying fact is that the attacker was able to achieve this using a relatively small botnet comprised of 20,000 machines.
The “HTTP/2 Rapid Reset” technique exploits HTTP/2's stream cancellation feature to repeatedly send and cancel requests, crushing the target server or application. Besides CloudFlare, Google and Amazon also published blog posts detailing the HTTP/2 Rapid Reset attacks they observed.
Microsoft has also fixed multiple high-risk vulnerabilities in Microsoft Windows Search, Windows Kernel, Azure RTOS GUIX Studio, Windows MSHTML Platform, Windows Media Foundation Core, and other products.
Additionally, Redmond announced it is planning to phase out the VBScript scripting language. VBScript will be available as a feature on-demand before it is removed completely in future Windows releases.
